Outdated software could cause offshore troubles

Computer systems that keep offshore drilling rigs running safely are among the most vulnerable to security threats because of old software that oil companies have been reluctant to update.

The aging software exposes offshore systems to digital infection that could cause equipment to malfunction, even triggering blowouts, explosions, oil spills or lost lives in a worst-case scenario, security professionals said.

Software updates are critical to improving security because their main purpose is to respond to viruses and other malicious programs that can give intruders the ability to control a system.

While most corporate and consumer machines receive regular system and software updates to patch up holes in security, many computers on offshore energy facilities have not been updated in years, leaving them open to havoc from computer assaults that would be rendered harmless by routine software upgrades.

"Definitely, you're playing toward the attackers' preference if you have significantly unpatched systems out there," said Jack Whitsitt, principal tactical analyst for the National Electric Sector Cybersecurity Organization. "You open wide the window of exposure."

Oil companies are working to improve their defenses to such infections, either from hackers that deliberately target them or from random malware that could jam up computers.

But old software is ubiquitous, said Michael Van Gemert, manager of systems and controls for Lloyds Register Drilling Integrity Services, which inspects offshore systems.

Part of the problem is cost.

What's more, the oil industry historically has made large investments in heavy equipment - hardware that can last for decades and foster complacency about software with shorter shelf life, said Brandon Dunlap, chief marketing officer for EnergySec, a nonprofit Internet security organization.

Some companies believe the computers that monitor and control their major systems are safe because they are isolated from the Internet and from other machines, but they often get infected anyway.

CIA chief's advice

The Houston Chronicle reported recently that offshore networks have been contaminated and in some cases incapacitated by malware, and isolated computers on offshore rigs and platforms have received viruses unintentionally transferred on USB devices or other means.

Former Central Intelligence Agency Director Michael Hayden has said that energy companies should assume, in many cases, that their systems are infected.

But updating systems to harden them against malicious software can be a challenge for companies trying to cut costs, said Ed Bott, a Microsoft Windows expert who writes for the technology website ZDNet.

"There's managers who look at a system and they say we can get another three years out of this system instead of replacing it now. And they're gambling," Bott said. "They're basically betting that nothing bad will happen and they will get away with it. But when they don't, the consequences are catastrophic."

The problem may get worse in April 2014, when Microsoft plans to cut security support for Windows XP, a 12-year-old operating system that is used widely on energy company networks. The end of that support will eliminate even the option for updates.

Bott said that even up-to-date versions of XP have inherent problems.

"You have a fundamentally insecure architecture," he said. "So all of the patching that was done was basically constantly going around fixing holes in it."

Windows XP was developed in a more innocent age of Internet security, and lessons learned from viruses and malware attacks on XP helped inform development of the subsequent generations of Microsoft operating systems - Windows Vista, Windows 7 and Windows 8, Bott said.

But changing the system software for computers on an offshore rig or other energy network could cause major headaches, including possibly disabling some of the applications on those systems, said Stephen Coty, director of threat research for Houston-based network security firm Alert Logic.

Costs, challenges

Many of the programs that monitor the safe operation of equipment were written by contract programmers who built an application for an equipment manufacturer and then moved on, never performing an update. To keep those systems safe and operational, companies would have to update the operating systems, then install new versions of critical programs that would work on the newer platforms.

That would entail huge costs, requiring teams of programmers to craft new applications, Bott said.

So companies resist taking on the costs and challenges associated with updating software offshore.

"You almost can understand why it takes so long," Coty said. "But to not do it at all is negligent. At least have a plan in place as to how you're going to do it. That's better than nothing."